CVE-2002-0518
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:14
NMCOS    

[原文]The SYN cache (syncache) and SYN cookie (syncookie) mechanism in FreeBSD 4.5 and earlier allows remote attackers to cause a denial of service (crash) (1) via a SYN packet that is accepted using syncookies that causes a null pointer to be referenced for the socket's TCP options, or (2) by killing and restarting a process that listens on the same socket, which does not properly clear the old inpcb pointer on restart.


[CNNVD]FreeBSD 4.5 syncache/syncookies拒绝服务攻击漏洞(CNNVD-200208-210)

        
        FreeBSD是开放源代码的操作系统,其中FreeBSD 4.5支持了SYN cache (syncache)和SYN cookies (syncookies)机制,提供对FLOOD拒绝服务攻击的保护功能。
        当syncookie实现时syncache会触发两个漏洞,可以导致系统崩溃。
        1)当通过syncookie接收到SYN信息包时,它使用未初始化的指针来为新的套接口查找TCP选项,这个指针可以为NULL指针,这就可以导致系统崩溃。
        2)当SYN信息包到达一监听套接口的时候会建立一syncache条目,如果建立这个监听套接字的应用程序被杀掉或者重新启动,因此会使用一个不同的inpcb重新建立监听套接口,后来到达的ACK包或者重复的SYN包匹配已经存在的syncache条目时会导致引用旧的inpcb指针,根据指针内容不同,可以导致系统崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.5:release

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0518
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0518
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-210
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4524
(VENDOR_ADVISORY)  BID  4524
http://www.iss.net/security_center/static/8875.php
(VENDOR_ADVISORY)  XF  bsd-syncache-inpcb-dos(8875)
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-02:20
http://www.osvdb.org/6046
(UNKNOWN)  OSVDB  6046
http://www.iss.net/security_center/static/8873.php
(UNKNOWN)  XF  bsd-syncookie-pointer-dos(8873)

- 漏洞信息

FreeBSD 4.5 syncache/syncookies拒绝服务攻击漏洞
中危 其他
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        FreeBSD是开放源代码的操作系统,其中FreeBSD 4.5支持了SYN cache (syncache)和SYN cookies (syncookies)机制,提供对FLOOD拒绝服务攻击的保护功能。
        当syncookie实现时syncache会触发两个漏洞,可以导致系统崩溃。
        1)当通过syncookie接收到SYN信息包时,它使用未初始化的指针来为新的套接口查找TCP选项,这个指针可以为NULL指针,这就可以导致系统崩溃。
        2)当SYN信息包到达一监听套接口的时候会建立一syncache条目,如果建立这个监听套接字的应用程序被杀掉或者重新启动,因此会使用一个不同的inpcb重新建立监听套接口,后来到达的ACK包或者重复的SYN包匹配已经存在的syncache条目时会导致引用旧的inpcb指针,根据指针内容不同,可以导致系统崩溃。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭syncookie机制:
        # sysctl -w net.inet.tcp.syncookies=0
        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:20)以及相应补丁:
        FreeBSD-SA-02:20:syncache/syncookies denial of service
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc
        补丁下载:
        1) 将受影响的FreeBSD系统升级到相应修正日期后发布的4.5-STABLE或RELENG_4_5安全分支。
        2) 为现有系统安装补丁:从下列地址下载相应的补丁并以root身份执行下列命令:
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc
        本补丁仅适用于4.5-RELEASE。
        请用你的PGP工具核实分开的PGP签名。
        请以root身份执行下列命令:
        # cd /usr/src
        # patch -p < /path/to/patch
        按照下列描述重新编写kernel并重启系统:
        
        http://www.freebsd.org/handbook/kernelconfig.html

- 漏洞信息

6046
FreeBSD syncache/syncookie TCP Socket DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability

- 漏洞描述

FreeBSD contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user sets an uninitialized syncookie pointer to null, or sends a duplicate SYN which matched a previous syncache entry, causing a reference to the old inpcb pointer, this would result in loss of availability for the platform.

- 时间线

2002-04-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.5-STABLE or the RELENG_4_5 security branch dated after the respective correction dates, as it has been reported to fix this vulnerability. Also, FreeBSD has released a patch. It is also possible to correct the flaw by implementing the following workaround to prevent a malicious user from setting the syncookie pointer to null: #sysctl -w net.inet.tcp.syncookies=0 There is no workaround to resolve the syncache manipulation.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD 4.5 syncache / syncookies Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 4524
Yes No
2002-04-16 12:00:00 2009-07-11 11:56:00
Credit is given to Alan Judge <Alan.Judge@eircom.net> and Dima Ruban <dima@FreeBSD.org>.

- 受影响的程序版本

FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE

- 漏洞讨论

Recent versions of FreeBSD 4.5 include support for a SYN cache (syncache) and SYN cookies (syncookies) mechanism. This provides some level of protection from a class of denial of service flooding attacks.

Multiple denial of service issues have been reported in some versions of these features. A malicious attacker may be able to take advantage of these issues to cause the vulnerable system to crash. A restart may be required in order to regain normal functionality.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

FreeBSD suggests that one of these issues may be dealt with by disabling syncookies through the following command:

# sysctl -w net.inet.tcp.syncookies=0

This issue was resolved in 4.5-STABLE on January 21, 2002.

A patch is also available. The following patch instructions have been supplied:

Execute the following commands as root:

# cd /usr/src
# patch -p < /path/to/patch

Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system.


FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.5 -STABLE

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站